In a recent decision (deliberation CNIL May 30, 2013 n°2013-139), the French Data Protection Agency (CNIL) sanctioned a company for implementing a CCTV system without informing employees and because the CCTV enabled the constant monitoring of one employee making the recording disproportionate to the goal pursued. The CNIL also sanctioned the company because it failed to implement an adequate level of security of the data housed on its systems.
The agents of the CNIL noticed during an on-site inspection that passwords used within the company to log into its systems, and therefore to access personal data stored within those systems, were simple to crack. Indeed, most of them were only 5 characters and some of them were only the surname or name of the employees and had not been changed since 2011.
The CNIL therefore required that the company implement a data security policy.
After another on-site inspection, the agents of the CNIL noticed that, despite its commitments, the company had not implemented such a policy.
The CNIL concluded that the company did not provide for an adequate level of protection of data given that the passwords were short, simple and not modified.
According to Article 34 of the French Data Protection Act of January 6th, 1978, the data controller shall take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties.
In a previous post, we highlighted the recommendations enacted by the CNIL to help companies to strengthen the security of their data processing.
In light of the vulnerabilities noticed during the on-site inspections and the failure of the company to properly address them, the company was required by the CNIL to pay a €10,000 fine.
Companies located in France must therefore pay particular attention to their data security policies to make sure that they comply with French data protection law requirements.